House Tweaks Video Privacy Law for Frictionless Sharing

Yesterday, the House of Representatives passed H.R. 2471, a proposed revision to the Video Privacy Protection Act (VPPA), the law that prohibits companies from disclosing information about your movie-viewing habits without your affirmative consent. Privacy advocates consider the VPPA one of the high-water marks of privacy legislation — video records are one of the few categories of personal information for which there exist strong protections under the law. For this reason, a lot of privacy groups are understandably wary about efforts to cut back on its protections. From CDT’s point of view, the suggested revision is reasonable and justifiable, though there are considerably more important privacy issues that Congress should be addressing (notably, the lack of basic protections around most other consumer data).

The call to revise the VPPA started this summer when Facebook announced its latest generation of “social apps” that allow users to passively share their music listening or news reading habits on an ongoing basis. Install one of these apps (like Spotify or the Washington Post Social Reader), and whatever you listen to or read through those apps will automatically be published to your Facebook friends, without the bother of having to affirmatively ask to share each song or story.

Netflix apparently wanted to take advantage of these apps as well but there was one problem: The VPPAsays that consent must be obtained from a consumer whenever the disclosure is sought. Thus, users of a Netflix social app can’t give the app permission in advance to publish in real time whenever they watch Transformers 3 or The Notebook (again) — instead, they have to give a new permission each time they watch a movie.

The language of H.R. 2471 is designed to allow for consumers to grant a permanent permission to disclose movie-watching habits on an ongoing basis. That’s a reasonable enough goal — if people want to tell all their friends every single thing they watch without the bother of clicking “Okay” each time, that should be their prerogative. At the same time, the time-of-disclosure permission requirement in the original law was crafted for a reason — to make sure that consumers didn’t unwittingly sign away permission in advance and then find out later that their viewing habits were public knowledge. Allowing companies to get permission all at once could result in companies putting disclosure permission in a long Terms of Service agreement or privacy policy that no one’s actually likely to read.

For this reason, Representative Nadler introduced language at the October mark-up to ensure that any ongoing disclosure will be permitted only after a company obtains the informed, written consent of a consumer “in a form distinct and separate” from any other financial and legal obligations. We had suggested slightly different language based on a comparable provision in location privacy legislation introduced by Senator Franken that would also require the language to be clear and prominent, but the Nadler language probably does the trick — it’s hard to envision how a company could trick a consumer into opting in if the permission isn’t buried in a bunch of other language.

Despite this improvement, some privacy groups such as EPIC have strongly opposed the bill, and 116 members eventually voted against H.R. 2471 yesterday. We share the general concern that the VPPA should remain a model for other privacy legislation and should not be weakened, but we do not believe that this particular revision undermines the fundamental purpose of the law.

As a final note, however, while we believe this bill does not pose a threat to consumers’ privacy interests, it is unfortunate that this is the only privacy legislation that seems likely to move anytime soon — a minor tweak that merely allows consumers to passively share more data about themselves. If some Facebook users are glad for the change, that’s great, but it’s hardly something that most consumers have been actively clamoring for. We would feel stronger about the bill if it offered some benefit to consumers who don’t plan to take advantage of automatic sharing, such as by clarifying that the law applies to online streaming of movies — something that wasn’t envisioned when the VPPA was passed in 1988. More broadly, there’s a lot more consumer interest in generally improving privacy protections to make sure they understand what data is being collected and used about them, and to give them stronger controls around that data. While severalpromisingbillshavebeen introduced, there has been little action on those bills over the last several months. Hopefully next year, we’ll see progress on the more pressing need for more comprehensive privacy legislation.